JUST RELEASED: ATT&CK for Industrial Control Systems


APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]

ID: G0073
Associated Groups: Codoso, C0d0so0, Codoso Team, Sunshop Group
Contributors: FS-ISAC, Darren Spruell
Version: 1.2
Created: 17 October 2018
Last Modified: 11 October 2019

Associated Group Descriptions

Name Description
Codoso [4]
C0d0so0 [4]
Codoso Team [3]
Sunshop Group [6]

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port

APT19 used TCP port 80 for C2.[1]

Enterprise T1132 Data Encoding

An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.[4]

Enterprise T1140 Deobfuscate/Decode Files or Information

An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[4]

Enterprise T1073 DLL Side-Loading

APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[4]

Enterprise T1189 Drive-by Compromise

APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.[4]

Enterprise T1143 Hidden Window

APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.[1]

Enterprise T1031 Modify Existing Service

An APT19 Port 22 malware variant registers itself as a service.[4]

Enterprise T1112 Modify Registry

APT19 uses a Port 22 malware variant to modify several Registry keys.[4]

Enterprise T1027 Obfuscated Files or Information

APT19 used Base64 to obfuscate commands and the payload.[1]

Enterprise T1086 PowerShell

APT19 used PowerShell commands to execute payloads.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\.[4]

Enterprise T1117 Regsvr32

APT19 used Regsvr32 to bypass application whitelisting techniques.[1]

Enterprise T1085 Rundll32

APT19 configured its payload to inject into the rundll32.exe.[1]

Enterprise T1064 Scripting

APT19 downloaded and launched code within a SCT file.[1]

Enterprise T1193 Spearphishing Attachment

APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[1]

Enterprise T1071 Standard Application Layer Protocol

APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[1][4]

Enterprise T1082 System Information Discovery

APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[1][4]

Enterprise T1016 System Network Configuration Discovery

APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[4]

Enterprise T1033 System Owner/User Discovery

APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[4]

Enterprise T1204 User Execution

APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[1]


ID Name References Techniques
S0154 Cobalt Strike [1] Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Component Object Model and Distributed COM, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Parent PID Spoofing, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0363 Empire [5] Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Component Object Model and Distributed COM, Create Account, Credential Dumping, Credentials from Web Browsers, Credentials in Files, Data Compressed, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation